Question

S3 Buckets and Multifactor Authentication

  • 4 April 2019
  • 2 replies
  • 21 views
jfisch25
Rank
Badge +6

We have an FME Server setup that uploads and downloads data to/from S3 buckets, and this week all of a sudden I had several workspaces fail. One of them downloads datasets from a bucket onto the server as local resources for other jobs, the other one is a backup to a different bucket. The log says S3 access was denied, and the only thing that has changed is that we enabled MFA on our AWS user accounts this week. I've read a little about MFA and API access to S3, but the examples all include inputting the MFA code into the request. Is there a way FME can handle MFA and still get automated access to S3 buckets without needing to input an MFA code somewhere? How can we still get access to our S3 buckets through Server workspaces?

 

Here is the error line from the log file:

Attribute(encoded: UTF-8) : `_s3_error' has value `Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 4A0AAECC919B8F68)'

 

Using FME Server 2018.1.1.2 - Build 18586 - win32 and FME Desktop 2018.1.0.1 (20180730 - Build 18528 - WIN64)

2 replies

G
Badge

Hi @jfisch25,

I started to look into this, but it currently seems like only long-term credentials in our Amazon Web Service web connections are supported. According to this document, these might not work when MFA is enabled:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_configure-api-require.html

I filed a ticket for investigation regarding supporting MFA enabled accounts for AWS S3 and will update here as soon as we have more information on this.

UPDATE:

So I did a quick test with an AWS user account that is MFA enabled. I was able to create access keys and used them successfully in the S3Connector and was able to download files.

This makes me think that your access keys should still work or at least you should be able to create new access keys to use in FME for the user accounts you used.

Please let me know if you can confirm this.

jfisch25
Rank
Badge +6

We got around this by creating a user with programmatic access only, with MFA disabled, and using those keys in the workspaces. I don't have the ability to create new users or keys, so I was not able to test your workflow @gerhardatsafe, but we figured it was probably a better setup doing it this way anyway, as opposed to using an AWS user account with console access as well. I appreciate your response and effort looking into it though!

Reply


Community Stats

28,688
Posts
109,425
Replies
36,543
Members
Terms & ConditionsCookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.